100-002799-C

Symantec Data Loss Prevention 12:

Administration Labs and Appendices

100-002799-C

CONFIDENTIAL - NOT FOR DISTRIBUTION

2COURSE DEVELOPEROscar PnesGaurav Srivastava

LEAD SUBJECT MATTER EXPERTS

Jennifer CarlsonShawn ChenFjon KleinKenneth LiuJoann PavlovcakMichael PlavinDinesh RajwaniSteve RudmanSumit SarinWade WaltersBen Yang

TECHNICAL CONTRIBUTORS AND REVIEWERS

Kunal BijurLani ChanTory GilbertRobert GutchoCharles McLendonPauline PickleSteve RandallErnest Simmons

Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and VERITAS are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.THIS PUBLICATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION. THE INFORMATION CONTAINED HEREIN IS SUBJECT TO CHANGE WITHOUT NOTICE.No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.Symantec Data Loss Prevention 12: AdministrationSymantec Corporation World Headquarters 350 Ellis Street Mountain View, CA 94043 United Stateshttp://www.symantec.com

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


3 Table of Contents iiiCopyright 2013 Symantec Corporation. All rights reserved.

Appendix A: LabsLab 2: Navigation and reporting .................................................................. A-1Lab 3: Incident Remediation and Workflow................................................. A-5Lab 4: Policy Management......................................................................... A-23Lab 5: Response Rule Management.......................................................... A-29Lab 6: Described Content Matching ........................................................... A-33Lab 7: Exact Data Matching and Directory Group Matching ...................... A-41Lab 8: Indexed Document Matching........................................................... A-49Lab 9: Vector Machine Learning ................................................................ A-59Lab 10: Network Monitor Review ............................................................... A-61Lab 11: Network Prevent............................................................................ A-67Lab 13: Network Discover and Network Protect......................................... A-73Lab 14: Endpoint Prevent........................................................................... A-87Lab 15: Endpoint Discover ......................................................................... A-95Lab 17: System Administration................................................................. A-101

Appendix B: Lab SolutionsLab 2: Navigation and reporting .................................................................. B-1Lab 3: Incident Remediation and Workflow................................................. B-9Lab 4: Policy Management......................................................................... B-45Lab 5: Response Rule Management.......................................................... B-57Lab 6: Described Content Matching ........................................................... B-65Lab 7: Exact Data Matching and Directory Group Matching ...................... B-77Lab 8: Indexed Document Matching........................................................... B-91Lab 9: Vector Machine Learning .............................................................. B-105Lab 10: Network Monitor Review ............................................................. B-109Lab 11: Network Prevent.......................................................................... B-123Lab 13: Network Discover and Network Protect....................................... B-137Lab 14: Endpoint Prevent......................................................................... B-163Lab 15: Endpoint Discover ....................................................................... B-181Lab 17: System Administration................................................................. B-191

Appendix C: Complementary Symantec ProductsComplementary Symantec Products: Overview.......................................... C-3Data Insight Integration and Reporting........................................................ C-4Data Classification for Enterprise Vault ...................................................... C-30

Appendix D: Network Monitor Advanced Details

Appendix E: Endpoint Agent Events

Appendix F: Services and Directory Structure

Appendix G: Obtaining Technical Support from Symantec

Table of ContentsC

opyr

ight

2

013

Sym

ante

c C

orpo

ratio

n. A

ll rig

hts

rese

rved

.


4 iv Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.

Using self-help resources ............................................................................ G-2Obtaining customer support......................................................................... G-7

Symantec Acronym Glossary

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


5Appendix A

Labs

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


6 A2 Symantec Data Loss Prevention 12: AdministrationCopyright 2013 Symantec Corporation. All rights reserved.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


7 Lab 2: Navigation and reporting A1Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 2: Navigation and reportingIn this lab, you perform tasks that reinforce the concepts presented in the lesson.

Two parallel versions of the labs enable you to select the level of detail that suits your experience: Appendix A provides step-by-step lab instructions. Appendix B provides complete lab instructions and solutions.

ObjectivesThe purpose of this lab is to familiarize yourself with the navigation of the Symantec Data Loss Prevention User Interface. You also learn to create, schedule, and distribute Symantec Data Loss Prevention reports and lastly, create a custom attribute.

Note: The following symbol represents the VM image you need to access in order to continue with the upcoming lab steps. In this example, the prompt is indicating the Enforce system. Administrator and Training1 refer to the Windows username and password for the system in this image. Because automatic logon is used, this information is not required unless you manually log out of Windows.

Enforce: Administrator:Training1

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



In this exercise you practice viewing your profile and examining online Help.

1 Verify that the following systems are online:

Enforce Endpoint Client

2 Double-click Symantec Enforce Server shortcut on the desktop and login as Administrator.

3 View your profile.

4 Open online Help and work through its options.

Use the Contents tab to find information on Role-Based Access in Managing Roles and Users.

Use the Search tab to find information on Alerts. Use the Index tab to find information on Described Content Matching

(DCM) and Response Rules - Configuring Actions. Navigate to Incidents > Network for context-sensitive help.

5 How many main topics are listed under the Contents tab? Name five (5).

6 Use the Index tab and answer the following question: What is the definition for trial mode for a Network Prevent Server?

Exercise 1: Exploring the UI controls


User name Administrator

Password protect4

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


9 Lab 2: Navigation and reporting A3Copyright 2013 Symantec Corporation. All rights reserved.

A

Symantec Data Loss Prevention offers main drop-down directories and subdirectories, and easily accessible configuration of the system. In this exercise, you familiarize yourself with the location of items you use in upcoming labs.

1 Use the System tab to view its subdirectories and look at the Overview and Server Detail pages.

Review the System > Servers > Overview page. Review the Server Detail page for the Network Monitor server named

Monitor 1.

2 Use the Manage tab to view the following policies and response rules.

Customer Data (DCM) policy. Customer Data (DCM) policys response rules. Actions and Conditions for the Block e-mail and Send Notification to

Sender and ITSecurity response rule. Suspend all policies.

3 Use Incidents to view All Reports and an incident snapshot.

View Network > Incidents All. View the incident snapshot for Incident ID 00000127.

Note: View only. Do not make changes.

View the saved report Main Dashboard.

4 Log out of the Enforce console.

Exercise 2: Navigating the UIC

opyr

ight

2

013

Sym

ante

c C

orpo

ratio

n. A

ll rig

hts

rese

rved

.



1 Open a web browser and login as Administrator.

2 Add a new Custom Attribute to the Attribute Group Current Job Status.

Exercise 3: Creating a custom attribute



Password protect4

Custom Attribute Name: Title

New Attribute Group Current Job Status

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


11 Lab 3: Incident Remediation and Workflow A5Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 3: Incident Remediation and WorkflowIn this lab, you learn to use Symantec Data Loss Prevention reports and workflow to effectively remediate incidents. You also learn to create roles, users, and attributes.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME is ready to build their incident response team strategy. The ACME project team has reviewed the financial services solution pack and determined they require additional roles. ACME requires that the first line responders for all customer data have limited access to view the incident information to ensure that ACME safeguards employee privacy.

1 Add a new Status Attribute.

2 Edit an existing Status Group.

3 Add a new role.

Exercise 1: Create status attributes, roles, and users


Status Attribute Name: Resolved - HR

Status Group: Resolved

Member Status: ResolvedResolved - EducationResolved - HR

Role name: First Line Responder

View Permissions: Perform attribute lookupDelete incidents Export Web archive Incident ReportingIncident Update

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

4 Add a second new role.

5 Add the firstlineresponder User.

Attribute Restrictions

Display: HistoryBodySenderOriginal MessageUsernameMachine NameFile Owner

Custom: Employee CodeLast NameRegionFirst NamePhoneSender Email

Incident Access Restrictions: Policy Group is any of Customer Data Group

Role name: First Line Manager

View Permissions: Perform attribute lookupDelete IncidentsExport Web ArchiveIncident Reporting Incident Update

Attribute Restrictions: None - Leave at default

Incident Access Restrictions: Remediate incidents for only the Customer Data Group when incident Status is Escalated or Requires Training

Policy Management: Author policies for the Customer Data Group.

Name: firstlineresponderPassword: responderEmail Address: [email protected]

Role: First Line Responder

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



6 Add the firstlinemanager User.

7 Login as each new User: firstlineresponder and firstlinemanager. Notice the restrictions in the accounts.

8 Logout of the console.

Name: firstlinemanagerPassword: manager1Email Address: [email protected]

Role: First Line Manager

Name: firstlineresponderPassword: responderName: firstlinemanagerPassword: manager1

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

As a member of the ACME Information Security team, the CISO has requested that you develop several new reports that are shared with senior management. The following is the list of three new reports the CISO would like you to create, share, and schedule for distribution:

Business Unit Scorecard: This report summarizes all Network incidents by Business Unit and then by Policy.

Machine IP by Policy: This report summarizes all Endpoint incidents by Policy and then by Machine IP.

Highest Risk Endpoints: This report summarizes all New Data at Rest incidents where the Target = Endpoints, by Scanned Machine and then by Policy.

1 Open a browser and login as the ITSecurity user within the CISO role.

2 Create a new Network report: Business Unit Scorecard. Save, share, and distribute this report on a monthly schedule.

Report Name: Business Unit Scorecard Description: Summarize Network Incidents sorted by Business Unit and

then by Policy. Summarized by:

Share Report

Exercise 2: Reporting creation and distribution


User name CISO\ITSecurity

Password protect4

Primary: Business Unit

Secondary: Policy

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Delivery Schedule

3 Revise the Business Unit Scorecard report to show all incidents where the Status = Open.

Note: Now that you have revised the Business Unit Scorecard report, you have three options as follows: (1) Save the report with the new filters by selecting Save > Save, (2) Save the report as a new report name by selecting Save > Save As or (3) leave the report name and filters as is and just review the new results. In this lab, select option 3 because you are not required to save these revisions.

4 Create a new Endpoint report: Machine IP by Policy. Save and Share this report.

Report Name: Machine IP by Policy Description: Summarize Endpoint Incidents sorted by Policy and then

Machine IP. Summarized by:

Share Report.

5 Create a new Discover report: Highest Risk Endpoints. Save and share the report.

Report Name: Highest Risk Endpoints Description: Lists the Endpoints with the most incidents found by Endpoint

Discover. Filtered by: Target ID:Endpoints Detection Date: All Dates

Schedule: Send Monthly On

At: 9:00 AM

Send To: [email protected], [email protected]

Primary: Policy

Secondary: Machine IP (Corporate)

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

Summarized by:

Share Report.

Primary: Scanned Machine

Secondary: Policy

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



The CISO has requested that you develop a new dashboard named: Enterprise Dashboard. This allows the CISO to quickly assess the organizations risk across all the coverage areas: Network, Endpoint, and Storage (Discover). The following is the list of six reports the CISO wants you to add in the new dashboard:

Network: Network Incidents-All Network: Business Unit Scorecard Endpoint: Endpoint Incidents-All Endpoint: Machine IP by Policy Discover: Target Summary Discover: Highest Risk Endpoints

1 Create a new Shared Dashboard.

Dashboard Name: Enterprise Dashboard. Description: Dashboard showing all coverage points in the Enterprise:

Network, Endpoint, and Discover. Left Column (Chart Only):

Right Column (Chart and Table).

Exercise 3: Creating a new dashboard

Network Incidents All

Endpoint Incidents All

Discover Target Summary

Business Unit Scorecard

Machine IP by Policy

Highest Risk Endpoints

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

The CISO has requested that you configure the system to provide quick access to his or her preferred reports. Additionally, you have been asked to make the new Enterprise Dashboard the first report displayed when the CISO logs into the system.

1 Access the Enforce system and logout as user ITSecurity and login as user CISO.

What are the first six report links displayed in the Incidents > Network section?

2 Configure Enterprise Dashboard as the default report for user CISO.

3 Configure the Reports Pane. Configure the list of Network report links displayed in the left pane of the Network Reports page to display only the following reports. These changes should take effect immediately. You may need to refresh to see the changes.

Exec. Summary - Network Policy Trend Protocol Trend

Exercise 4: Configuring a users reporting preferences


User name CISO

Password protect4

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Aging Unres. Incidents.C

opyr

ight

2

013

Sym

ante

c C

orpo

ratio

n. A

ll rig

hts

rese

rved

.



A

ACME has established a three-tier Incident Response strategy using the following three roles: First Responder > Customer Data Responder > Investigation.

The First Responder role has been established to examine new PCI and PII customer incidents. This role has been instructed to escalate all incidents that appear to be valid (example, credit card numbers, government identification numbers, and so on). The First Responder role is entitled to only view and remediate incidents where the Status = New or In-Process. Additionally, this role has restricted visibility to incident data to safeguard employee privacy.

Once the incident has been escalated, the Customer Data Responder then reviews the incident in the next exercise.

1 Logout as CISO and log in as user ISR who is a member of the First Responder role.

2 Review the Incident List report My In-Process report.

How many incidents are currently in the In-Process status?

What severities are these incidents?

Which policies did these incidents violate?

3 Review the Incident Snapshot report for incident ID 00000049.

What type of protocol was used to deliver the message that created this incident?

Exercise 5: Incident Response: First Responder role escalates incidents

User name ISR

Password protect4

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Review the match highlighting. Does this incident appear to contain a valid violation? If so, where was it found in the message (header, body, or attachment?) What type of data was found?

Which policies did this one message violate? How many rules did this message violate for the first policy? If more than one policy, how many incidents did this one (1) message generate? Review any additional incidents using the go to incident links.

Review the match highlighting of the additional incident. Does this incident appear to contain a valid violation? If so, what type of data was found in the message? How many rules did it violate for this policy?

4 Select the Correlations tab and review Correlations for incident ID 00000049.

How many times has this subject appeared in an incident?

How many times has the Payment Card Industry Data Security Standard policy been violated?

5 Review all the incidents with a related subject.

6 Escalate multiple incidents at one time using Set Status.

Review the subjects of the incident list that ISR can now see. These all appear to be related. Assume that ISR has reviewed each to determine that they all contain credit card numbers or social security numbers.

Use the Set Status: Escalated to move them to the next step in the workflow and remove them from ISRs work queues.

The status of all eight (8) incidents are changed to Escalated. The incidents are escalated to the next step in the workflow process for further review by the Customer Data Responder role in the next exercise.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

The Customer Data Responder role has been established to review incidents where Status = Escalated and the policy group = Customer Data or General. This role has been instructed to escalate, or resolve incidents using Smart Responses as follows:

Notify Manager and Resolve: Resolve incidents by scheduling data security training when the employee requires education to avoid further violations. Status = Resolved, Reason = Schedule Data Security Training.

Escalate BU: Escalate incidents to engage Business Unit when a potential broken business process is identified. Status = Escalated, Reason = Engage BU to fix Broken Business Process

Resolve BU: Resolve incidents when Business Unit is actively addressing broken business process. Status = Resolved, Reason = BU Addressing Broken Business Process

Launch Investigations: Escalate incidents that appear to be malicious. Status = Investigations.

1 Log out as ISR and log in as user CSR who is a member of the Customer Data Responder role.

2 Navigate to Incidents > Network > Incidents - All.

3 Review the Incident Snapshot report for incident ID 00000055.

Does this incident appear to be malicious?

What do the Sender and Recipient values imply? Who is recipient [email protected]?

Reviewing the Message Body section, what mistake did the sender [email protected] make that caused this incident? How could he have avoided an incident (and potentially all the subsequent incidents)?

Exercise 6: Incident Response: Customer Data Responder using Smart Response to escalate or resolve

User name CSR

Password protect4

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Using the Attributes pane, which Business Unit does sender jcolby report to?

4 Using the Correlations tab, navigate to all incidents that contain the same Subject.

Note: Correlations identify all messages that contain the same Subject line words. This includes all Forwards, Replies, and messages where new words have been appended or pre-pended in the Subject line.

5 Assume that the CSR has reviewed these incidents and determined that they are to be resolved by scheduling education for the senders.

Use the Smart Response: Notify MGR and Resolve to resolve all Incidents. Take a few moments to review the Smart Response Actions that occur before confirming.

6 Review the History within the Incident Snapshot.

Did the system successfully send notifications to the manager and helpdesk?

7 Review the notification sent to the managers and Helpdesks e-mail addresses. Log on to Thunderbird to review the first notification sent to manager Zoe Jones from [email protected] with the Payment Card Industry Data Security Standard violation subject.

8 Resolve incidents (ID 00000060 and 00000061) using Smart Response: Launch Investigation.

Select Saved Report Escalated Year-to-Date to return to CSRs escalated incident work queue.

To review the Incident Snapshot report for incident ID 00000061:

Does this incident appear to be malicious?

What do the Sender and Recipient values imply?

Which Policies does this message violate?

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

What does the match highlighting reveal? Reviewing questions and answers for Q2, Q3, and Q4, what can you ask yourself about this employees actions?

a Review the Correlations tab.

How many incidents has sender [email protected] generated?

How many incidents have been sent to the recipient [email protected]?

9 Using Correlations, navigate to all seven (7) incidents that recipient [email protected] received.

10 Assume that the CSR has reviewed these incidents and determined that they must all be investigated. Notice that the senders are violating the Encrypted Data policy and the PCI Compliance policy.

Use the Smart Response: Launch Investigation to resolve all seven incidents. Take a few moments to review the Smart Response Actions that occur before confirming.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs Investigation Team needs to be able to review incidents offline when engaged in an investigation. You have been asked to export all incidents where status = Investigation to html format for offline viewing.

1 Logout as CSR and log in as user ITSecurity as role SysAdmin.

2 Create a new Network report: Investigations Till Date and save this report.

Filtered by:

3 Create a new Web Archive: Investigations.

4 Review incidents offline for the Web Archive: Investigations.

Navigate to the Enforce Server file system C:/Vontu/Protect/archive/Investigations

Review Incident ID 00000056.

Exercise 7: Web Archive

User name SysAdmin\ITSecurity

Password protect4

Report Name: Investigations Till Date

Description: Incidents under Investigation

Status: Investigation

Date: All Dates

Archive Name: Investigations

Report to Export: Investigations Till Date

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACMEs Investigation Team needs to be able to review incidents offline when engaged in an investigation, but would like to do so now in XML format. Export the report created for the previous exercise in XML format.

1 Continuing on the ITSecurity account, export the Investigations Till Date report to XML and review the results.

Exercise 8: Export incidents using XML export

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs IT team needs to configure user risk summary to identify high risk users.

1 Add a CSV user data source. Use the User_List.csv file located in the C:\SDLP\Lesson_03\Lab_09_01_CSV folder.

2 Verify the imported user list.

3 View the user risk summary report.

4 Click Logout.

Exercise 9: User risk summary

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


29 Lab 4: Policy Management A23Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 4: Policy ManagementThe purpose of this lab is to reinforce your working knowledge of Policy Management. In this lab, you create a policy group, create a customer data policy, create a custom (blank) policy, create a policy based on a template, and export and import a policy.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



1 Open a browser to the Enforce UI and login using the following credentials:

2 Add a new policy group.

Exercise 1: Creating a policy group



Password protect4

Name: Test Policy Group

Description: Used for testing purposes

Servers: All

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACME needs to create a customer data policy to detect US Social Security Number violations.

1 Open a browser and login as the Administrator user.

2 Create a new policy.

3 Under Detection tab, add a new rule.

Exercise 2: Create a customer data policy



Password protect4

Name: ACME Protect Customer Data

Description: optional

Policy Group: Customer Data Group

Rule: Content Matches DataIdentifier: US Social Security Number (SSN)

Rule name: SSN Data Identifier

Severity: Medium

Breadth: Medium

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



1 Add a new blank policy.

2 Add a keyword rule.

3 On the Enforce system, copy the Lab4test.eml file from the c:\SDLP\Lesson_04\Lab_04-02_Keyword\ folder location and paste it into the c:\drop folder.

Note: Do not drag and drop file to the folder.

4 Watch the drop folder consume the file or navigate to c:\Vontu\Protect\incidents. The incident moves quickly in and out of this folder.

5 View the incident in Enforce.

Exercise 3: Creating a custom (blank) policy


Policy Name: E-mail Test Policy

Description: Testing e-mail messages with drop folder

Policy Group: Test Policy Group

Rule name Looking for company name

Keywords Symantec Corporation

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACMEs Development team is interested in protecting their design documents. They use the Design Documents Policy Template to detect CAD/CAM drawing files.

1 Add a policy from a template.

2 Test the policy with the LatestLoadCellDesign.eml file from the c:\SDLP\Lesson_04\Lab_04-03_Policy\ folder location.

Note: When using the C:\drop folder, the system refers to the date/time stamp from when the .eml was saved, not when it was copied to the C:\drop folder. This process can make it difficult to view the most recent incidents because the default sort for incident lists is by date.

TIP: To see the most recent incidents, sort by ID because each new incidents ID number is increased by one from the previous incident.

Exercise 4: Create a policy based on a template

Template: Design Documents

Name (Change the Name): ACME Design Docs

Description: Protect ACME design docs


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME wishes to export a policy they have created and tested from their test environment and import it into their production environment.

1 Export the Hardware Pricing Protection policy.

2 Import the recently exported policy template, Hardware Pricing Protection.

Note: For demonstration purposes, in class only, you export and import in the same environment.

Exercise 5: Export/Import policy templates


End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


35 Lab 5: Response Rule Management A29Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 5: Response Rule ManagementThe purpose of this lab is to reinforce your working knowledge of Response Rules. In this lab you create an automated response rule and a smart response rule.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME has stated they would like to define consistent response rules for high, medium, and low severity incidents within their company.

1 Open a browser to the Enforce UI and login using the following credentials:

2 Add a new High Severity Automated Response Rule.

Exercise 1: Create Automated Response Rules



Password protect4

Rule Name: ACME High Severity Rule

Description: Notify Manager and InfoSec, Escalate

Conditions: Severity: High

Actions: All: Send Email Notification

check on Manager Email

cc: [email protected]

Language: English

Subject: Please Read Policy Violation

Body: Insert Variables: Severity, Sender, Policy Name, Match Count, Subject

Actions: All: Set Status

Status = Escalated

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


37 Lab 5: Response Rule Management A31Copyright 2013 Symantec Corporation. All rights reserved.

A

3 Add a new Low Severity Automated Response Rule.

Rule Name: ACME Low Severity Rule

Description: Discard Original Message, Non-Violating Attachments and Resolve

Conditions: Severity: Low

Actions: All: Limit Incident Data Retention

Select Discard Original Message

Select Attachments with no Violations

Actions: All: Set Status

Status = Resolved

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



1 Add a new Smart Response Rule.

Exercise 2: Create a Smart Response Rule

Rule Name: ACME Training Response

Description: Resolved with Employee Education

Conditions: (N/A always manually execute)

Actions: All: Add Note: Conducted Training

Actions: All: Set Status: Resolved Education

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


39 Lab 6: Described Content Matching A33Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 6: Described Content MatchingThe purpose of this lab is to reinforce your working knowledge of the Described Content Matching (DCM) detection method. In this lab, you create policies that include DCM rules and then capture incidents with those policies.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs Marketing team is developing a new product with code name acmeflash. They are co-developing this with an outside agency. Marketing is in the very early stages of developing their product (product name, terms, marketing collateral, and so on). The team needs to protect their work-in-progress documents. They have agreed to preface all document names with blackprogram- and send them only to [email protected]. They would like to monitor to ensure that no one is sending information regarding code name acmeflash or has found their documents and sent them.

1 Verify that all policies are suspended.

2 Add a new blank policy.

3 Under Detection tab, add a Content Matches Keyword rule.

4 Under Groups Tab, add Recipient Matches Pattern exception.

Exercise 1: Create a DCM Policy


Policy Name: Black Program

Description: New Product Launch Data


Rule name New Product Code Name

Keywords acmeflash

Exception name Trusted Partner Exception

Conditions

Recipient Pattern [email protected]

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

5 Add a compound condition to this exception.

6 Access the Enforce system and place the three .emls in the C:\SDLP\Lesson_06\Lab_06-01_DCM directory into the C:\drop folder and view the Expected Results as indicated in the Enforce UI.

7 Make sure all policies are suspended.

Also Match Message Attachment or File Name Match

Conditions

File Name blackprogram-*.*

File Name Result

NO-MATCH - Project kickoff.eml No Match - No incident created.

MATCH - FileType-Changed.eml Match - Does create an incident.

MATCH - Product Launch TXT Match - Does create an incident.


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



During the baseline period, ACME is interested in understanding the formats of Social Security Numbers that are sent by different employees or automated processes. To do this, they test the US Social Security Number Data Identifier. This helps them understand the different results (False Positives and catch rate) between DI breadths (wide, medium, narrow).

1 Add a blank policy.

2 Under the Detection tab, add a Content Matches Data Identifier rule.



Exercise 2: Create a DCM Policy (Data Identifiers)


Name: SSNs all breadths

Description: Test SSN DI


Select US Social Security Number (SSN)

Rule Name Wide breadth

Conditions/breadth Wide


Rule Name Medium breadth

Conditions/breadth Medium


Rule Name Narrow breadth

Conditions/breadth Narrow

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

5 Access the Enforce system and place the .eml files in the C:\SDLP\Lesson_06\Lab_06-02_SSN_DI directory into the C:\drop folder and view the expected results as indicated.


File Name: MATCH-SSN-DI.emlSubject: Here is the list of SSNs

Breadth Match Count

Wide 2

Medium 2

Narrow 2

File Name: NO-Narrow-Match-SSN-DI.emlSubject: SSNs for you to try in your app

Breadth Match Count

Wide 2

Medium 2

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs Compliance team needs to ensure that ACME is compliant with PCI standards. They want to use the Symantec Payment Card Industry Data Security Standard Policy Template to detect valid credit card numbers and or credit card magnetic stripe data.

1 Add a policy from a template.

2 Access the Enforce system and place the .emls in the C:\SDLP\Lesson_06\Lab_06-03_PCI directory into the C:\drop folder and view the expected results in the Enforce UI as indicated.

Why does the last .eml named NO MATCH CC numbers not produce an incident?

How could you revise the policy to catch that message?

Exercise 3: Creating a DCM Policy from the PCI Template


Template: Payment Card Industry Data Security Standard

Name (Change the Name): ACME PCI

Description: PCI (CC# and Mag Stripe data)


File Name Result

MATCH-CCnumbers.emlSubject: MATCH-Here are the good numbers I told you about

Match - Should create an incident with three match counts.

MATCH-Mag Stripe Data.emlSubject: MATCH-hope you like this info

Match - Should create an incident with four match counts.

NO MATCH-CCnumbers.emlSubject: NO MATCH-Here are the good numbers I told you about

No Match - Does not create an incident the first time. Creates an incident with three match counts after revising the policy.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

3 Revise the policy to capture the .eml named NO MATCH CCnumbers.eml.

4 Access the Enforce system and copy the NO MATCH-CCnumbers.eml file from the C:\SDLP\Lesson_06\Lab_06-03_PCI directory into the C:\drop folder again. You should catch it this time.


End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


47 Lab 7: Exact Data Matching and Directory Group Matching A41Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 7: Exact Data Matching and Directory Group MatchingThe purpose of this lab is to reinforce your working knowledge of the Exact data matching (EDM) detection method. In this lab, you create policies that include EDM rules and then capture incidents with those policies. As part of this process, you create EDM indexes, including an EDM index for use in a DGM rule.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



To ensure that ACME companys high net worth customers are not disclosed to unauthorized recipients, the InfoSec team is charged with setting up monitoring policies to protect this data. ACME requires the highest degree of accuracy to eliminate false positives. This lets ACME remediate incidents without adding headcount and it gives them the confidence to block these violations during Phase II of their Symantec Data Loss Prevention deployment. ACMEs project team has elected to protect the Customer Data File. ACME also requires that they do not monitor the communications of their employees located in France or Switzerland. To accomplish this, the InfoSec team creates an Exact Data Profile to match senders from the Employee Directory based on their country of residence. ACME has created extracts for both files to be used as Exact Data Profiles in Symantec Data Loss Prevention.

1 Create an Exact Data Profile.

Exercise 1: Creating an EDM Index


Name: ACME Customer Data

Data Source: Upload Data Source to Server Now c:\SDLP\Lesson_07\Lab_07-01_EDM_Index\CustomerDataExtractLarge0213.dat

Column Names: Select the following:

Read first row as column names

Select

Error Threshold: 5%

Column Separator: Tab ()

File Encoding: ISO-8859-1(Latin-1)

Submit Indexing Job on Save:

Select

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACME requires that outbound communications from employees living in either France or Switzerland not be monitored. ACME wants to use Directory Group Match detection to accomplish this. The InfoSec Group must first create an Exact Data Profile.

Note: Directory Group Match requires that you first create an EDM index.

1 Create an Exact Data Profile.

Exercise 2: Creating an EDM Index for a Directory Group Match

Name: Employee Data and Directory

Data Source: Upload Data Source to Server Now -c:\SDLP\Lesson_07\Lab_07-02_EDM_for_DGM\HRDirectory.csv

Column Names: Select the following:

Error Threshold: 5%

Column Separator: Comma (,)

File Encoding: ISO-8859-1(Latin-1)

Field Mappings: Data Source Field Email, System Field Email

Submit Indexing Job on Save

Selected

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Previously, the InfoSec team created an EDM index (referenced in the ACME Customer Data exact data profile). This index is based on the ACME customer data extract. To protect customer data, the InfoSec team decides to create a new Symantec Data Loss Prevent policy using the ACME Customer Data exact data profile.

The team also knows they need to update the index regularly with new customer data that gets into the ACME customer database, and that in between these comprehensive re-indexings, one suggested practice is to include a Data Identifier in the policy to catch unindexed new customer data. Therefore, they plan to include the US Social Security Number Data Identifier in this same policy.

1 Make sure ACME Protect Customer Data policy is enabled.

2 Click ACME Protect Customer Data policy for editing.

3 Under the Detection tab, add a new rule.

4 Access the Enforce system and place the .eml files in the c:\SDLP\Lesson_07\Lab_07-03_EDM\ folder into the C:\drop folder and view the expected results in the Enforce UI as indicated.

Exercise 3: Using EDM in a Policy

Rule: Content Matches Exact Data From: ACME Customer Data

Rule name: ACME Customer EDM Data

Conditions

Match: 3 of the selected fields

Select: Social Security Number, First Name, Last Name, Email Address, Credit Card

Excluded Combinations:

First Name, Last Name, Email Address

File Name Result

High Customer Data to include in report this weekend Hidden Cells.eml

Match - One Incident 167 Match count.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACMEs Incident Response Team (IRT) requires the ability to set thresholds to help determine the violations that warrant immediate attention as well as the ability to have the system automatically escalate higher risk violations. The ability to set SEVERITY thresholds helps lower the Total Cost of Ownership (TCO) for ACME.

1 Select policy: ACME Protect Customer Data.

2 Edit rule: ACME Customer EDM Data.

3 Change Default Severity to Low, and add two new Severities (Med, High).

Exercise 4: Using Severity in a Policy


Medium: Greater than or Equals 2

High: Greater than or Equals 15

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME ACMEs HR and Compliance teams currently require that the company only monitor the outbound communications of US, UK and APAC based employees. All other employees are currently exempt from monitoring. This is accomplished by adding compound rule to the Protect Customer Data policy. The additional and condition uses a Directory Group Match to identify the employees country of residence.

1 Access the Enforce system and place the .eml files in the c:\SDLP\Lesson_07\Lab_07-04_DGM\ folder into the C:\drop folder now. Verify that each .eml has created an incident before adding the DGM exception to the policy.

2 Add an exception to the ACME Protect Customer Data policy.

3 Before dropping the .emls again, review the Incident List and make note of your newest Incident ID (sort by ID). This aids you in reviewing the results.

Exercise 5: Using DGM in a Policy


Sender/User Matches Directory From: Employee Data and Directory

Exception Name: Country Exception

Where: Country

Is Any Of: France, Switzerland

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

4 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_07\Lab_07-04_DGM folder into the C:\drop folder again and view the expected results as indicated in the following table.

File Name Result

US-UK-APAC.eml Creates an incident (167 match count) before and after you add the DGM exception to the policy.

France.eml Creates an incident the first time, but does not create an incident after you add the DGM exception.

Switzerland.eml Creates an incident the first time, but does not create an incident after you add the DGM exception.

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


55 Lab 8: Indexed Document Matching A49Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 8: Indexed Document MatchingThe purpose of this lab is to reinforce your working knowledge of the Indexed Document Matching (IDM) detection methods. In this lab, you create policies that include IDM rules and then capture incidents with those policies. As part of this process, you create IDM indexes.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME has built its business by acquisition and expects to continue with that strategy. The project team wants to establish a strategy and policy to protect sensitive data with respect to Mergers and Acquisitions. The InfoSec team protects the sensitive data using Indexed Document Matching.

1 Verify that all policies are suspended.

2 Create a Document Profile.

Exercise 1: Create an IDM Index


Name: ACME Mergers Documents

Document Source: Upload Document Archive to Server Now - c:\SDLP\Lesson_08\Lab_08-01_IDM_Index\Mergers Highly Sensitive Docs.zip

Submit Indexing Job on Save:

Select

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACMEs CFO and Legal Council are concerned about protecting data regarding Mergers and Acquisitions. The InfoSec team has already created the Indexed Document Profile earlier. They have decided to modify the Mergers and Acquisition Datas policy that was delivered in the Solution.

1 Verify that the ACME Protect Customer Data policy is suspended.

2 Activate and open the Merger and Acquisition Agreements policy.

3 Under the Detection tab, add a rule.

4 Assign the policy to the Corporate Financial Data Group policy group.

5 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_08\Lab_08-02_IDM folder into the C:\drop folder again and view the expected results as indicated in the following table.

Exercise 2: Using IDM in a Policy

Content Matches Document Signature from:

ACME Mergers Documents

Rule Name: Protect Merger Docs

Minimum Document Exposure: 30%

File Name Result

50% Paste in other doc.eml An incident is created. (one match count, matching 70% of one of the indexed documents).

10% in body.eml No incident created.

Early QFinancials.eml No incident created.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs finance department wants to ensure its quarterly earnings reports are not distributed to unauthorized viewers before public release. The quarterly earnings report contains specific financial information and data that must be protected.

Often, customers refresh the Index Document Profile (IDP) on a schedule (daily, weekly, monthly, and so on) and place the documents used to create the IDP in a predefined secure file share. ACME uses this location to instruct Symantec Data Loss Prevention to find the appropriate documents to index, after the pre-release financials are indexed. The ACME InfoSec team creates a new policy to protect this data.

1 Suspend the Merger and Acquisition Documents policy.

2 Create a new Indexed Document Profile called ACME Quarterly Financials to protect the pre-release quarterly financials that the finance team saves to the secure file share \\Enforce\Private-Finance.

Note: Consider the following: Do you have all the information you need? If not, what do you need to complete this task?

3 Create a policy to detect pre-release Quarterly Financials.

4 Access the Enforce system and place the three .eml files from the C:\SDLP\Lesson_08\Lab_08-03_Index_Scheduling folder into

Exercise 3: Policy Management - Scheduling IDM Indexings


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

the C:\drop folder again and view the expected results as indicated in the following table.

File Name Result

50% Paste in other doc.eml No incident created for this policy.

10% in body.eml No incident created for this policy.

Early QFinancials.eml One incident created for this policy.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Add the three response rules you created in an earlier exercise to the ACME Protect Customer Data policy.

1 Suspend the ACME Protect Financial Data policy.

2 Activate and edit a policy to include three response rules.

3 Access the Enforce system and place the .eml files from the C:\SDLP\Lesson_08\Lab_08-04_Response folder into the C:\drop folder and view the expected results as indicated in the following table.

Exercise 4: Adding automated responses to a policy


Name: ACME Protect Customer Data

Response Rules: ACME High Severity Rule

ACME Med Severity Rule

ACME Low Severity Rule

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

4 If any of the .emls did not create an incident, why not? (Hint: Are there any exceptions?) Fix the problem (and retest the .eml files).

5 Access the Enforce system and place the .eml files from the C:\SDLP\Lesson_08\Lab_08-04_Response folder into the

File Name Result

PCI data - from Switzerland.eml HIGH - A high-severity incident (167 match count) is created against this policy after you remove the exception from the policy.

Review Customer over weekend - Hidden Cells.eml

No incident is created. This is because the names and Social Security Numbers in this e-mail do not match the data in the EDM index.

Customer-Data.eml HIGH - A high-severity incident (167 match count) is created.

Account Data for testing programs.eml Med - A medium-severity incident (13 match count) is created against this policy after you remove the exception from the policy.

Here is the customers information attached with directions.eml

Low - A low-severity incident is created (1 match count).


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



C:\drop folder again and view the expected results as indicated in the following table.

File Name Result

PCI data - from Switzerland.eml HIGH - A high-severity incident (167 match count) is created against this policy after you remove the exception from the policy.

Review Customer over weekend - Hidden Cells.eml

No incident is created. This is because the names and Social Security Numbers in this e-mail do not match the data in the EDM index.

Customer-Data.eml HIGH - A high-severity incident (167 match count) is created.

Account Data for testing programs.eml Med - A medium-severity incident (13 match count) is created against this policy after you remove the exception from the policy.

Here is the customers information attached with directions.eml

Low - A low-severity incident is created (1 match count).

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

Locate the medium-severity incident captured in the last exercise and execute the Smart Response you created previously.

1 Locate the medium-severity incident captured in the last exercise.

2 Execute the ACME Training Response Smart Response Rule.

3 In the Incident Snapshot, review the incident History and Notes tabs.

RESULTS

The History section in the Incident Snapshot indicates that the status was changed to Resolved Education and the note Conducted Training has been added.

4 Suspend the ACME Protect Customer Data policy.

Exercise 5: Executing a Smart Response to an incident


End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


65 Lab 9: Vector Machine Learning A59Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 9: Vector Machine LearningThe purpose of this lab is to reinforce your working knowledge of the Vector Maching Learning (VML) detection method. In this lab, you create a policy that include VML similarity scores, and then capture incidents with that policy. As part of this process, you import positive and negative documents for the VML traning process.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME IT team needs to configure Vector Machine Learning data profile to protect source code written in Java.

1 Create Vector Machine Learning profile.

2 Create a policy that uses the ACME Source Code VML profile.

3 Access the Enforce system and place the Java module files.eml file from the C:\SDLP\Lesson_09\Lab_09-01_VML folder into the C:\drop folder.

4 Review the new incident snapshot.

5 Suspend the ACME Source Code VML policy.

Exercise 1: Configure Vector Machine Learning

Enforce: Administrator:train

Profile Name ACME Source Code VML

Positive set VML_Positive.zip

Negative set VML_Negative.zip

Similarity Threshold 0

Policy/Rule Name ACME Source Code VML

Policy Group Default Policy Group

VML Profile ACME Source Code VML

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


67 Lab 10: Network Monitor Review A61Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 10: Network Monitor ReviewThe purpose of this lab is to reinforce your working knowledge of IP and Layer 7 filters used by the system. In this lab you become familiar with the syntax used for creating IP and L7 filters within the UI and apply them to the system.

Lab setupThe IP Filtering lab is a paper lab. No virtual machine images are used. Use virtual machine images for the L7 Filters lab.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME Company wants to monitor (include) all the outbound traffic from the 10.1.0.0/16 subnet except for the traffic from an internal Web server at 10.1.1.5. Additionally, ACME only wants to monitor outbound traffic.

1 Create an IP filter that can do this.

2 Based on the IP filter that you created in step 1, what happens to outgoing traffic from 10.1.1.5?

3 What happens to outgoing traffic from 10.1.1.9?

4 What happens to incoming traffic from 23.127.39.90?

Exercise 1: IP Filtering (Part 1)

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACME Company wants to filter out traffic internal within subnet as they have not placed Symantec Data Loss Prevention at the exit point for the network. ACME does not want to monitor any internal traffic that is routed within the 10.1.0.0/16 subnet, only that traffic destined for the internet. ACME does not want to monitor inbound traffic.

HINT: Keep traffic from 10.1.0.0/16 that is headed out of the network and exclude all other traffic.

1 Create an IP filter to do this.

2 Based on the IP filter that you created in step 1, what happens to internal traffic with a destination IP of 10.1.1.9?

3 What happens to incoming traffic with a source IP of 23.127.39.90?

Exercise 2: IP Filtering (Part 2)C

opyr

ight

2

013

Sym

ante

c C

orpo

ratio

n. A

ll rig

hts

rese

rved

.



ACME Company wants to monitor all outbound traffic except traffic destined for a trusted partner. ACME does not want to monitor inbound traffic.

1 Create an IP filter to do this.

2 Based on the IP filter that you created in step 1, what happens to outgoing traffic with a destination IP of 64.62.39.90?

3 What happens to outgoing traffic with a source IP of 10.1.1.9?

Exercise 3: IP Filtering (Part 3)C

opyr

ight

2

013

Sym

ante

c C

orpo

ratio

n. A

ll rig

hts

rese

rved

.



A

In this lab you apply L7 filters locally at the Enforce server level.

1 Activate E-mail Test Policy.

2 Edit E-mail Test Policy by adding L7 as a keyword in the existing rule.

3 Edit the L7 Recipient Filter in the SMTP protocol with the following: [email protected].

4 Save and recycle the detection server.

5 Copy and paste the c:\SDLP\Lesson_04\Lab_04-02_Keyword\lab4test.eml into the c:\drop folder.

Question: Should an incident be created? Why?

6 Using L7 filters only, write the filter(s) to do the following: Do NOT monitor the outbound SMTP traffic from [email protected] or [email protected].

7 Drop all the .eml files from the c:\SDLP\Lesson_10\Lab_10-02_L7_Filters folder into the c:\drop folder and review your results

Exercise 4: L7 Filters


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



Question: How many incidents were created? Why might there be a discrepancy?

8 Clear all existing L7 Filters in the SMTP protocol.

9 Using L7 filters only, write the filters to do the following:

Monitor all outbound traffic sent from anyone with domain acme.com to all external domains. Do not monitor sub-domains of acme.com (for example, benefits.acme.com).

10 Drop all .eml files in the c:\SDLP\Lesson_10\Lab_10-02_L7_Filters folder into the c:\drop folder and review expected results.

Question: How many incidents were created? Why?

11 Clear all existing L7 Filters in the SMTP protocol

12 Recycle the detection server and suspend the Email Test Policy.

End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


73 Lab 11: Network Prevent A67Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 11: Network PreventThe purpose of this lab is to reinforce your working knowledge of Network Prevent. In this lab, you configure Symantec Data Loss Prevention to block a confidential e-mail and to send notifications to the e-mail sender and his or her manager. You also configure Symantec to reroute an e-mail for downstream encryption.

Lab setupUse the Enforce and EndpointClient virtual machine images for this lab.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs project team has elected to block certain high risk SMTP communications as part of their phased roll-out of Symantec Data Loss Prevention. After ensuring that their ACME Protect Customer Data policy is accurate, they have decided to block all SMTP messages that violate that policy.

Best Practice: Before turning on Network Prevent (Email), make sure all policies deploying SMTP Prevent response rules have been tested in your QA mail environment. This is to ensure policy accuracy and to confirm that offending SMTP messages are blocked or redirected and that non-offending messages can proceed normally through your mail chain. Symantec strongly recommends that, before turning on Network Prevent (Email), you notify your employees that their e-mail is being monitored and could be blocked.

1 Flip the server to Network Prevent (Email).

2 Verify that the ACME Protect Customer Data policy is enabled.

3 Create a new Automated Response Rule that blocks e-mail.

4 Add the new response rule to the ACME Protect Customer Data policy.

Exercise 1: Network Prevent Blocking an SMTP Message


Name: ACME Block SMTP Rule

Description: Notify Sender and Manager, Message Blocked.

Condition: Protocol or Endpoint Monitoring is any of SMTP

Action: Network Prevent: Block SMTP Message

Action: All: Send Email Notification (for sender)

Action: All: Send Email Notification (for senders manager)

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

5 Send an ordinary e-mail that contains no confidential information. Open Mozilla Thunderbird. Send an email titled Hi, Larry from the Drafts folder.

6 Confirm that the e-mail went through to Larrys inbox. Switch to Larry Outsider inbox in Mozilla Thunderbird.

7 Send an e-mail containing confidential information.

a Sender: Joe User

b E-mail name: Customer Data to Include in Report this Weekend (Located in the Drafts folder of Mozilla Thunderbird on the Endpoint system).

8 Confirm that Network Prevent (Email) rerouted the confidential e-mail to IT Security (and did not send it to Larry). Switch to Larry Outsiders inbox.

9 Confirm that Jane Manager received a notification e-mail. Switch to Jane Managers inbox.

\

EndpointClient: Joe:Training1




Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



10 Review the incident in the Enforce administration console.

11 After reviewing the incident, suspend the ACME Protect Customer Data policy.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

ACMEs project team has elected to enforce encryption of all employee-related health information sent to their trusted benefits provider. ACME uses Symantec Encryption Management Server as their enterprise encryption tool. To enforce encryption, ACME configures Network Prevent (Email) to modify confidential e-mails by adding a header that the next-hop MTA recognizes as an instruction to redirect the message to Symantec Encryption Management Server. In this exercise, the particular header name is X-PGP-Redirect.

Note: This exercise asks you to configure the appropriate response rule, add it to a policy, and send a confidential e-mail. In the lab environment, Network Prevent (Email) adds a header (specified in the response rule) to the confidential e-mail, but the MTA does not forward the e-mail to an encryption gateway, as the lab environment does not include one. However, the resulting incident looks the same as if the e-mail had been redirected.

1 Create a new Automated Response rule.

2 Customize the HIPAA (including PHI) policy to include the Automated Response, and changes the data identifier detection condition SSN and Disease Keywords to medium breadth.

3 Send an e-mail containing confidential information.

Exercise 2: Network Prevent Enforce Encryption of an SMTP Message

Name: ACME Encrypt SMTP Rule

Description: Redirect Message to PGP-Encryption Gateway

Condition: Protocol or Endpoint Destination is any of SMTP

Action: Network Prevent: Modify SMTP Message

Header 1 Name: X-PGP-Redirect

Header 1 Value: Yes


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



4 Review the incident in the Enforce administration console.

5 Review the incident in the Enforce administration console. After reviewing the incident, suspend the HIPAA (including PHI) policy.


End of lab

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.


79 Lab 13: Network Discover and Network Protect A73Copyright 2013 Symantec Corporation. All rights reserved.

A

Lab 13: Network Discover and Network ProtectThe purpose of this lab is to reinforce your working knowledge of Network Discover and Network Protect. In this lab, you create Discover Targets, configure filters, scan a File System, view actionable incident data, and quarantine sensitive files. After working with scans, you run reports, including a differential report based upon a differential scan.

Lab setupUse the Enforce virtual image for this lab.

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACME is concerned that sensitive data may be wrongly exposed on corporate servers. They understand that Data at Rest is just one click away from being Data In Motion. To ensure that highly sensitive data is protected, the project team has asked the Information Security (InfoSec) team to look for Mergers and Acquisition data as well as pre-release financial data on the Private-Finance share and report if any such data is found.

This lab creates a Target utilizing the first of two methods for identifying shares, and run a scan that produces incidents. Afterward, another target is created using the second method, also running and creating incidents.

1 Activate the ACME Protect Financial Data and Merger and Acquisition Agreements policies if they are not already active.

2 Flip the server to Network Discover.

3 Add a Discover Target.

Type: Server File System

4 Configure the General Tab.

Name: ACME Scan for Financial Data Policy group: Corporate Financial Data Group Scan Type: Full Scan

Exercise 1: Scanning a File-System Target


Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

5 Configure the Scanned Content Tab.

6 Start the Scan.

7 Review the scan results.

Scan Results First Scan Results:

Items Scanned = 54

Errors = 1

Incidents = 5

Why is there an error?

8 Open one of the downloadable reports.

9 View Incidents.

Default Username: Administrator

Default Password: Training1

Share File: c:\SDLP\Lesson_13\Lab_13-01_Sharelist\ACMEShareList.txt

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



10 Create a new File System Target with an individual Share.

11 Start the scan and refresh until complete.

12 Review scan results.

Scan results Second Scan Results: Items Scanned = 1 Errors = 0 Incidents = 1

Incident Remediation Tracking

13 Note the incident number from step 12.

14 Click the ACME Private Financials scan.

15 Click the Advanced tab.

16 Verify that Item No Longer Exists is selected under the Remediation Detection Preferences section.

17 Click Cancel.

18 Move the Q3DeptEarnings.xls file from the C:\Private-Finance\Financial-Quarterly folder to the desktop.

19 Start the ACME Private Financials scan and refresh until complete.

Type: Server File System

Name: ACME Private Financials

Policy Group: Corporate Financial Data Group

Default Username: Administrator

Default Password: Training1

UNC Path: \\Enforce\Private-Finance

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



A

20 Navigate to Incidents > Discover > Incidents > New.

21 Locate and click the incident from step 12.

22 Notice the following new field under the Incident Details section:

23 Copy the Q3DeptEarnings.xls file from the desktop to the C:\Private-Finance\Financial-Quarterly folder.

Name Description

Remediation Detection Status Item No Longer Exists

Cop

yrig

ht

201

3 S

yman

tec

Cor

pora

tion.

All

right

s re

serv

ed.



ACMEs InfoSec team is preparing to scan terabytes of information looking for confidential financial information. To reduce the amount of unnecessary data to be scanned, they add filters to their Discover Target. In this exercise, we combine the two scans from the previous exercise. To do this, we update the first targets sharelist with the individual share from the second target.

1 Add a single share to the Sharelist.

Add \\Enforce\Private-Finance to ACMEShareList.txt (located at c:\Vontu\Protect\sharelists\)

2 Edit File System Target.

3 Start the Scan and refresh until Completed.

4 Review the scan results, incidents, and note filtered files in detail.

Scan results: Items Scanned = 42 Errors = 1 Incidents = 6

Exercise 2: Using Filters

Enforce: Administrator:Train

100-002799-C

Documents

lab solutionslab

symantec logo

symantec data loss prevention

network discover

exact data matching

content matching

directory group matching

indexed document matching